Introduction
A single line of PHP in a WordPress plugin installed on over one million websites was silently passing user controlled data into a block type registration call, allowing any Contributor level user to register an arbitrary PHP function as a rendering callback and then trigger its execution in the same page request. CVE-2026-7465 is a CVSS 8.8 Remote Code Execution vulnerability in the Spectra Gutenberg Blocks plugin (formerly Ultimate Addons for Gutenberg) by Brainstorm Force, and its two stage exploitation mechanism through the Gutenberg block rendering pipeline makes it both architecturally interesting and practically dangerous.
Spectra Gutenberg Blocks is a popular WordPress plugin that extends the native block editor with additional design and layout blocks. With over 1,000,000 active installations and a 4.7 star rating from nearly 1,900 reviews, it is one of the most widely deployed block editor extensions in the WordPress ecosystem. The plugin is developed by Brainstorm Force, a Pune based company with over 130 team members whose products (including the Astra theme) are used by millions of WordPress sites globally.
Technical Information
Root Cause
The vulnerability lives in the render_block() method of classes/class-uagb-init-blocks.php, specifically around lines 330 and 335 of the vulnerable version (2.19.25). This method hooks into WordPress's render_block filter and fires on every block rendered on the frontend.
To support WordPress 6.9's "Hide Blocks" feature, the Spectra plugin introduced logic to dynamically register any uagb/ prefixed block type that was not already present in the WP_Block_Type_Registry. The problem was in how it performed that registration. At line 335 of the vulnerable version, the code executed:
$registry->register( $block['blockName'], $block['attrs'] );
The $block['attrs'] array is parsed directly from serialized post content. In WordPress, any user with Contributor level access or above can author post content. WordPress's register_block_type() function accepts a render_callback key inside its arguments array. If present, this callable is stored in the block type registry and later invoked via call_user_func() whenever a block of that type is rendered.
Because $block['attrs'] was passed wholesale to the registration function, an attacker could embed a render_callback key pointing to any arbitrary PHP function (such as system, exec, or passthru) within the block attributes of a crafted uagb/ prefixed block.
Attack Flow
The exploitation follows a two stage process within a single page request:
Stage 1: Malicious Block Registration. The attacker creates a post containing a first block with a fabricated block type name using the uagb/ prefix (for example, uagb/evil). This block's attributes include a render_callback key pointing to an attacker chosen PHP function. When the Spectra plugin's render_block() method encounters this block, it checks the WP_Block_Type_Registry, finds that uagb/evil is not registered, and calls $registry->register( 'uagb/evil', $block['attrs'] ). The malicious render_callback is now stored in the block type registry.
Stage 2: Callback Invocation. A second block of the same fake type (uagb/evil) is embedded in the same post content. When WordPress's sequential block rendering pipeline reaches this second block, the block type is now registered (from Stage 1). WordPress core's render_block_data pipeline invokes the registered render_callback via call_user_func(), executing whatever PHP function the attacker specified.
This two block design is notable because it separates the malicious callback registration from its invocation. Each block individually may appear benign; the exploit only manifests when both blocks are processed in sequence during the same rendering cycle.
Attack Vector Summary
| Parameter | Detail |
|---|---|
| Authentication Required | Yes, Contributor level or above |
| User Interaction | None required |
| Attack Complexity | Low |
| Network Access | Remote |
| Scope | Unchanged |
| Maximum Impact | Complete server compromise (RCE) |
| Exploitation Pattern | Two block payload in single post content |
An important nuance: the Contributor role in WordPress is the second lowest user role, above Subscriber. Contributors can create and edit their own posts but cannot publish them. However, the exploit payload is embedded in post content, and even saving a draft can trigger the block registration and rendering pipeline when the post is previewed or reviewed by an editor. This means a Contributor can weaponize a draft post without requiring publish permissions.
Discovery Credit
The vulnerability was discovered by security researcher kai63001 (Supanat Konprom) and reported through Wordfence's vulnerability disclosure program.
Patch Information
The Spectra development team shipped the fix in version 2.19.26, released on May 4, 2026. The patch is a precisely targeted, single line change inside the render_block() method of classes/class-uagb-init-blocks.php.
In the vulnerable version (2.19.25 and earlier), the registration call at line 335 was:
$registry->register( $block['blockName'], $block['attrs'] );
In the patched version (2.19.26), this was changed to:
$registry->register( $block['blockName'], array() );
By replacing $block['attrs'] with an empty array(), the fix ensures that no user controlled data is passed to the block type registration. The block is still registered as a stub (satisfying the WordPress 6.9 compatibility requirement for the "Hide Blocks" feature), but it carries no render_callback, no attacker specified arguments, and nothing exploitable. This single line change completely severs the trust chain between user authored content and PHP callable registration.
The plugin changelog for version 2.19.26 confirms: "This update addressed a security bug. Props to Wordfence for reporting it responsibly." The latest available version at the time of disclosure is 2.19.28. Site administrators should update to 2.19.26 or later immediately.
The vulnerable and patched source files can be compared directly:
Compensating Controls
If immediate update is not feasible, the following measures can reduce risk:
- Restrict Contributor and Author roles: Since exploitation requires Contributor level access or above, limiting the number of users with posting privileges directly reduces the attack surface. Audit all user accounts and remove or downgrade any that are not essential.
- Deploy WAF rules: Configure rules to inspect incoming post content for suspicious
uagb/prefixed block registrations that includerender_callbackattributes referencing non standard PHP functions. Wordfence Premium can provide virtual patching rules for this vulnerability. - Search for existing payloads: Query the WordPress database for post content containing
uagb/prefixed block types with unusualrender_callbackattributes to identify previously inserted exploit payloads. - Temporarily deactivate the plugin: If Spectra is not critical to site functionality, deactivating it entirely eliminates the attack vector until a patched version can be installed.
Affected Systems and Versions
All versions of the Spectra Gutenberg Blocks plugin (also known as Ultimate Addons for Gutenberg) up to and including version 2.19.25 are vulnerable. This encompasses every release of the plugin from its initial availability on June 13, 2018 through the vulnerable version.
The vulnerability is exploitable on any WordPress installation where:
- The Spectra Gutenberg Blocks plugin is installed and active at version 2.19.25 or below
- At least one user account exists with Contributor level access or higher
Version 2.19.26 and later are not affected.
Vendor Security History
Brainstorm Force has a documented pattern of security vulnerabilities in the Spectra plugin. Multiple CVEs have been assigned across 2024 through 2026:
| CVE | Type | Severity | Year |
|---|---|---|---|
| CVE-2026-7465 | Remote Code Execution | 8.8 (High) | 2026 |
| CVE-2026-42648 | Missing Authorization | Not fully populated in NVD | 2026 |
| CVE-2026-24982 | Missing Authorization | Not fully populated in NVD | 2026 |
| CVE-2026-0950 | Information Disclosure | Listed in NVD | 2026 |
| CVE-2025-11162 | Stored Cross Site Scripting | Listed in CVE Details | 2025 |
| CVE-2024-10484 | Stored XSS via Team Widget | Listed in NVD | 2024 |
The plugin's changelog reveals five security related patches in approximately eight months:
| Version | Release Date | Reported By |
|---|---|---|
| 2.19.26 | May 4, 2026 | Wordfence |
| 2.19.23 | April 21, 2026 | Patchstack |
| 2.19.21 | March 12, 2026 | Not specified |
| 2.19.18 | January 20, 2026 | Wordfence and Patchstack |
| 2.19.15 | October 3, 2025 | Wordfence |
The recurrence of privilege management failures (CWE-269 for this CVE, alongside multiple Missing Authorization CVEs) suggests a structural weakness in how the plugin validates permissions and callbacks, rather than isolated coding errors. While Brainstorm Force has been responsive in issuing patches, the frequency of discoveries by independent researchers indicates that the plugin's security architecture would benefit from a comprehensive audit. Organizations should evaluate whether to continue relying on this plugin for production sites, or restrict it to trusted editor only environments.
References
- Wordfence Advisory: Spectra Gutenberg Blocks <= 2.19.25 RCE
- NVD: CVE-2026-7465 Detail
- CVE Record: CVE-2026-7465
- Vulnerable Source: class-uagb-init-blocks.php (2.19.25)
- Patched Source: class-uagb-init-blocks.php (2.19.26)
- WordPress Plugin Page: Spectra Gutenberg Blocks (Changelog)
- WordPress Trac: Vulnerable Code at Line 330
- WordPress Trac: Vulnerable Code at Line 335
- WordPress Trac: Patched Code at Line 330 (trunk)
- WordPress Trac: Patched Code at Line 335 (trunk)
- Wordfence: Spectra Plugin Vulnerability History
- Patchstack: Spectra Plugin Information Disclosure
- Brainstorm Force: About
- Brainstorm Force: Products



